FTP server problems behind PF firewall - BSD

This is a discussion on FTP server problems behind PF firewall - BSD ; Hello,
I've got a ProFTP FTP server running on a private network and it must be
made publicly available on the internet through our OpenBSD 3.9 PF
firewall. The problem right now is that I managed getting the FTP server
...

FTP server problems behind PF firewall

Hello,

I've got a ProFTP FTP server running on a private network and it must be
made publicly available on the internet through our OpenBSD 3.9 PF
firewall. The problem right now is that I managed getting the FTP server
available using active mode, but then if I use passive mode the FTP
server simply doesn't answer when I do data transfers.

Here are the entries I have added in my pf.conf to make the FTP server
available from the internet:

# RULES
pass in quick on $ext_if inet proto tcp from any to $int_ip_ftpserver
port 21 flags S/SAFR synproxy state
pass in quick on $ext_if inet proto tcp from any to $int_ip_ftpserver
port 50099 >< 50251 flags S/SAFR modulate state

And in ProFTP configuration file I have configured a portrange for
passive connections between 50100 and 50250 with the following parameter:

PassivePorts 50100 50250

Does anyone have an idea what is wrong here ? Or is this simply
impossible to have a FTP server avaiable in active and passive mode
behind an OpenBSD firewall without using ftp-proxy ? I would like first
to be sure because I would like to avoid using ftp-proxy if possible.

Many thanks in advance
Regards

Re: FTP server problems behind PF firewall

syn_NOSPAM_uw wrote:
> Hello,
>
> I've got a ProFTP FTP server running on a private network and it must be
> made publicly available on the internet through our OpenBSD 3.9 PF
> firewall. The problem right now is that I managed getting the FTP server
> available using active mode, but then if I use passive mode the FTP
> server simply doesn't answer when I do data transfers.
>
> Here are the entries I have added in my pf.conf to make the FTP server
> available from the internet:
>
> # NAT
> nat on $ext_if from $int_ip_ftpserver -> $ext_ip_ftpserver
>
> # RDR
> rdr on $ext_if proto tcp from any to $ext_ip_fpserver port 21 ->
> $int_ip_ftpserver port 21
> rdr on $ext_if proto tcp from any to $ext_ip_ftpserver port 50100:50250
> -> $int_ip_ftpserver
>
> # RULES
> pass in quick on $ext_if inet proto tcp from any to $int_ip_ftpserver
> port 21 flags S/SAFR synproxy state
> pass in quick on $ext_if inet proto tcp from any to $int_ip_ftpserver
> port 50099 >< 50251 flags S/SAFR modulate state
>
> And in ProFTP configuration file I have configured a portrange for
> passive connections between 50100 and 50250 with the following parameter:
>
> PassivePorts 50100 50250
>
> Does anyone have an idea what is wrong here ? Or is this simply
> impossible to have a FTP server avaiable in active and passive mode
> behind an OpenBSD firewall without using ftp-proxy ? I would like first
> to be sure because I would like to avoid using ftp-proxy if possible.

Why? ftp-proxy adds a lot of security.

I'd recommend replacing the flags with scrub, but that should not be the
problem.

Otherwise, it looks like it should work. Please add 'log' to all 'block'
rules, run tcpdump on pflog0, and report back on the results.

Joachim

Re: FTP server problems behind PF firewall

I agree ftp-proxy is nice and it's reverse function is working fine but
it has one negative point: the incoming connections on the internal ftp
server are then all originating from the firewall with it's internal IP
and not the real IP of the person connecting. That's why I would like to
avoid using it.
> I'd recommend replacing the flags with scrub, but that should not be the
> problem.

I've got this in pf.conf:

scrub in all
> Otherwise, it looks like it should work. Please add 'log' to all 'block'
> rules, run tcpdump on pflog0, and report back on the results.

I've got the following and only block entry in pf.conf:

block log all

And unfortunately and that's what's very strange: there is nothing about
FTP being logged with tcpdump -i pflog0, really nothing, so in theory
the FTP packets are passing but passive mode simply doesn't work. I
don't understand where the problem could be. Do you have any oter ideas ?

Regards

Re: FTP server problems behind PF firewall

syn_NOSPAM_uw wrote:
> jKILLSPAM.schipper@math.uu.nl wrote:
>
>> Why? ftp-proxy adds a lot of security.
>
> I agree ftp-proxy is nice and it's reverse function is working fine but
> it has one negative point: the incoming connections on the internal ftp
> server are then all originating from the firewall with it's internal IP
> and not the real IP of the person connecting. That's why I would like to
> avoid using it.

The FTP server will not care, and the firewall can do
bandwidth/connection limiting on its behalf.

The one thing that may be difficult to implement is saying that some
user may only connect from a specific subnet, but the rest can be done
well - and usually faster - in pf(4).
And the number of FTP servers that can do the above is not very large,
I'd guess - I've never had a need for it, so didn't try.
>> I'd recommend replacing the flags with scrub, but that should not be the
>> problem.
>
> I've got this in pf.conf:
>
> scrub in all

Then the flags command is pretty much redundant - TCP packets that make
no sense will be dropped anyway.
>> Otherwise, it looks like it should work. Please add 'log' to all 'block'
>> rules, run tcpdump on pflog0, and report back on the results.
>
> I've got the following and only block entry in pf.conf:
>
> block log all
>
> And unfortunately and that's what's very strange: there is nothing about
> FTP being logged with tcpdump -i pflog0, really nothing, so in theory
> the FTP packets are passing but passive mode simply doesn't work. I
> don't understand where the problem could be. Do you have any oter ideas ?

Hmm, strange. Could you run tcpdump on the outside and inside, and
report the results?

For added readability, tcpdump -Xs1500 might be useful, as it includes
full protocol information.

Joachim

Re: FTP server problems behind PF firewall

jKILLSPAM.schipper@math.uu.nl wrote:
> Hmm, strange. Could you run tcpdump on the outside and inside, and
> report the results?
>
> For added readability, tcpdump -Xs1500 might be useful, as it includes
> full protocol information.

The problem has been resolved, I needed to add the "MasqueradeAddress"
option in proftpd with the external IP address.